On 11/18/12 4:49 PM, Mountie Lee wrote:
> could you guide me the discussion thread for script nonce or
> fingerprint/hash ?
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce--experimental
May or may not be adopted as part of CSP 1.1 (CSP 1.0 isn't final yet!)
but discussion was favorable enough to include as a discussion point. It
does not directly address your issue -- it attempts to ensure that each
<script> tag was created by the page author and wasn't injected, but
does nothing to ensure the received content was the intended content.
-Dan Veditz